Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

President Bush has signed the National Strategy to Secure Cyberspace. The document will be released to the public within the next few weeks. In addition, Richard Clarke, White House cybersecurity advisor, is resigning his post; Clarke's deputy, Howard Schmidt, has assumed his duties. Schmidt is the former chief security officer for Microsoft Corp. and has a strong sense of the importance of government and the private sector working together to address cybersecurity. -http://www.washingtonpost.com/wp-dyn/articles/A6320-2003Jan31.html-http://www.washingtonpost.com/wp-dyn/articles/A3285-2003Jan30.html[Editor's Note (Schultz): Howard Schmidt is a top-notch person, and I am glad to see that he is assuming the role vacated by Richard Clarke. (Paller) Dick Clarke did more to advance the cause of cybersecurity than anyone else inside or outside government. He'll be sorely missed by everyone who cares about protecting networks from attack. ]

GEWIS Internet Monitoring System (31 January 2003)

The Bush administration is creating an Internet monitoring system that will provide a picture of the Internet's health. The Global Early Warning Information System (GEWIS - "Gee-whiz") will detect and respond to denial-of-service attacks and other cyber incidents. GEWIS is being built by the National Communications System, a defense agency, which receives real time network status information from ISPs and telecommunications providers. -http://www.washingtonpost.com/ac2/wp-dyn/A3409-2003Jan30[Editor's Note (Ranum): The only way to respond to DOS is to be in the route the traffic is going to traverse. Detection by itself is a hard problem, but this whole concept is ridiculous as it's described. Of course phase 1 is just to provide a "Gee whiz" graphical picture of the health of the Internet. That's doable, given the right data. I bet that they won't get farther than that. (Paller) I disagree with Marcus on this one. Marcus is correct that only someone "in the path" can stop the attack. That "someone" is usually the ISP. When Internet Storm Center found the Lion worm, SANS analysts quickly informed the folks at the ISPs who acted instantly to block the China.com site where the worm was sending stolen password files. In other words, early detection can lead to immediate remediation. ]

Slammer is Fastest Spreading Worm (3 February 2003)

The Slammer worm infected 90% of vulnerable computers within ten minutes, according to the Cooperative Association for Internet Data Analysis (CAIDA). The number of infections doubled in size every 8.5 seconds; after three minutes, Slammer was generating 55 million scans for vulnerable computers every second. -http://news.zdnet.co.uk/story/0,,t269-s2129785,00.html

Robert Kepple, who last summer pleaded guilty to selling answers to Microsoft certification examinations on the Internet, was sentenced to a year and a day in prison and ordered to pay a fine of half a million dollars. In addition, Kepple will be under supervision for three years after his release. -http://certcities.com/editorial/news/story.asp?EditorialsID=401[Editor's Note (Paller): As intellectual property becomes a larger component of wealth, this type of prosecution will become much more frequent. ]

Trojan Writers Exploit Outlook Express To Get Around Content Filtering (31 January 2003)

Virus authors and Trojan writers are using fresh malware tricks to fool traditional content filtering packages, email security firm MessageLabs says. A feature of Microsoft Outlook Express can be exploited to evade content filters and persuade an email recipient that an attachment is safe to open - even when it contains malicious code. Microsoft Outlook is not at risk (contrary to first reports of the problem). -http://www.theregister.co.uk/content/56/29137.html************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) STOP SPAM and unwanted email. Take control. FREE WHITE PAPER!!!
http://www.sans.org/cgi-bin/sanspromo/NB128(2) ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
FREE white paper! http://www.sans.org/cgi-bin/sanspromo/NB129(3) PREVENT INTRUSIONS FOR GOOD. Identify attackers. Block them with
countermeasures! FREE White Paper.
http://www.sans.org/cgi-bin/sanspromo/NB130***********************************************************************
SANS National Information Assurance Leadership Conference (March
5-6 in San Diego) is the only conference to attend for CISO's
and other security managers and team leaders. The highest rated
speakers in the security field - no vendor marketing fluff. And it
is not too technical for managers. You can even attend it and then
attend SANS immersion training in the same hotel right after the
conference. www.sans.org/SANS2003/ (Click on NIAL in "Select a Course")
***********************************************************************

THE REST OF THE WEEK'S NEWS

Air Force Staff Sergeant Sentenced for Theft of Notebook Computers and PDAs (3 February 2003)

Air Force Staff Sergeant Sheridan Ferrell II was sentenced to six years in military prison for stealing four notebook computers and two Palm Pilots from US Central Command in Tampa, Florida. The items, some of which contained sensitive data, were stolen last summer and were recovered at Ferrell's home. He apparently stole the items because he was angry that he had been passed over for promotion. Ferrell was also demoted and will be dishonorably discharged after he completes his prison term. -http://www.gcn.com/vol1_no1/daily-updates/21034-1.html

Slammer Demonstrates Microsoft Has a Long Way to Go on Trustworthy Computing (1 February 2003)

Some local computer scientists have expressed concern over Santa Clara (CA) County's plan to introduce direct-recording electronic voting as a replacement for its present punch card system. The computer scientists fear that the all-electronic system offers no way for voters to validate that their selections were recorded accurately; they would rather see a system that prints out a paper ballot and provides an audit trail. -http://online.securityfocus.com/news/2197-http://www.wired.com/news/business/0,1367,57490,00.html[Editor's Note (Schultz): It's premature to say that Microsoft's Trustworthy Computing Initiative (TCI), which is not even one year old yet, is a failure. It's true that serious vulnerabilities in Microsoft products are being discovered all the time, but these vulnerabilities are in older products, products that were not developed when the TCI went into effect. We should instead turn our attention towards new Microsoft products such as Windows Server 2003 when deciding whether or not TCI is successful. ]

Benchmark Could Have Slowed Slammer's Progress (31 January 2003)

Slammer's rapid spread across the Internet could have been slowed if companies had installed the patch Microsoft had issued for the vulnerability and if they had used the free Consensus Minimum Security Benchmarks, which are designed to detect vulnerabilities, including the one exploited by Slammer. The benchmarks were developed by five federal agencies, the SANS Institute and the Center for Internet Security (CIS). -http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78063,00.html[Editor's Note (Schultz): There was no patch for those who installed the Microsoft Desktop Engine (MSDE) using the Microsoft .NET Framework Software Developer's Kit until several days after Slammer first struck the Internet. ]

FAA Security Practices Helped Fend off Slammer (28 January 2003)

The Federal Aviation Administration (FAA) came through Slammer relatively unscathed: only one administrative server was compromised. FAA CIO Daniel Mehan credited his agency's cyber security strategies, which include keeping current on patches, providing regular training for employees, isolating mission critical flight control computers from web connected machines, using firewalls and conducting regular internal security audits. The FAA is also working with some vendors on building security into their products. -http://www.idg.net/ic_1041353_9676_1-5123.html

Missing Hard Drive Contains Data that Could be Used in Identity Theft (30 January 2003)

The Royal Canadian Mounted Police (RCMP) and the Regina (Saskatchewan) Police Service are investigating the disappearance of a computer hard drive that contains personal information belonging to 180,000 customers of Co-operators Life Insurance Company; the information could be used to steal people's identities. Co-operators' customers have been sent a letter describing the situation. ISM Canada, the company that stored the data, says other clients' data is also on the disk. -http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/ Article_Type1&c=Article&cid=1035777205819&call_pageid=968332188492&col=968793972154 -http://www.theregister.co.uk/content/55/29117.html

Take Steps to Protect Databases, Warn Lawyers (30 January 2003)

Lawyers in the UK are warning companies to take steps to better protect their databases after two incidents of attempted data theft were reported recently. The databases may have been targeted to harvest e-mail addresses for mass mailings. The lawyers say companies should document the steps they take to secure the data and develop disaster plans that can be implemented in the case of an attack. -http://www.vnunet.com/News/1138363

Consortium Wants Increased Cybersecurity R&D (30/31 January 2003)

The Institute for Information Infrastructure Protection (I3P) wants the government and private sector companies to conduct research and development in eight areas of cybersecurity, including secure system and network response and recovery, enterprise security management and traceback, identification and forensics. I3P is a consortium of security research institutions funded by the National Institute of Standards and Technology (NIST) and based at Dartmouth College in Hanover, New Hampshire. -http://www.idg.net/ic_1066736_9677_1-5046.html

Georgia to Implement Behavior Based Intrusion Detection System (29 January 2003)

The State of Georgia plans to implement a behavior based intrusion detection system. The state's computer network security has included firewalls and signature-based intrusion detection systems; the addition of the behavior-based system should help reduce the likelihood that state computer systems will be hit with viruses and worms whose signatures are unknown. The system established a normal network behavior baseline and notifies the administrator about any anomalies. -http://www.fcw.com/geb/articles/2003/0127/web-georgia-01-29-03.asp[Editor's Note (Ranum); Many organizations have planned behavior-based IDS. Very few of the behavioral systems have paid off, unless they are supported with vast amounts of expertise or manpower. Perhaps this would be more newsworthy after they've succeeded. ]

Dummy Server (Honeypot) Attracts Attacks (29 January 2003)

PSINet Europe set up an unprotected "dummy" server at its Amsterdam Internet Data Center; the server was attacked more than 450 times within 24 hours of going on line. The server contained no data and had no public profile. Many of the attacks were made from broadband or cable ISPs; most attacks came from the United States and Western Europe. -http://zdnet.com.com/2100-1105-982554.html[Editor's Note (Schultz): When deployed properly, honey pots can be extremely valuable. At a minimum they can serve as a "barometer" of the amount and types of malicious activity on the Internet. ]

Coordinated Effort Helps Track Down Leaves Author (29 January 2003)

This article offers a detailed account of a coordinated effort between the White House, FBI and members of the private sector to track the author of the Leaves worm in the summer of 2001. In the midst of their work, the team was forced to deal with another Internet fiend -- Code Red. In the end the team uncovered the worm's author in the UK, but his identity was never disclosed. -http://www.govexec.com/dailyfed/0103/012903worm.htm

Fourth Man Arrested in Credit Report Theft Ring (29 January 2003)

A fourth man has been arrested in connection with a massive identity theft ring in which thousands of credit reports were stolen and sold. The newly arrested man could face up to 35 years in prison and more than $1 million in fines if convicted. Another man, who exploited his position at a technology company to obtain the records, will be arraigned this week. -http://www.cnn.com/2002/TECH/11/26/hln.wired.id.theft/index.html

A security hole in Symantec's "Submit a Deal" website exposed proposals from businesses offering to be bought out by the security company. The compromised information was stored in a Lotus database; the website has since been taken offline. -http://www.wired.com/news/infostructure/0,1377,57438,00.html

The state of Kansas has begun issuing digital certificates to its employees for use in a public key infrastructure (PKI). Kansas is the first state to implement a statewide PKI, which eliminates the need to integrate systems from multiple providers at a later date. This year, 1,500 employees at two state agencies will receive the certificates. -http://www.gcn.com/vol1_no1/daily-updates/21004-1.html

A survey conducted by Defcom, a security consultancy, found that companies in the United Kingdom are still reluctant to report security breaches to authorities. Two thirds of the companies participating in the survey indicated they would be fearful of damaging their company's reputation by disclosing cyber security events. Additionally, almost half of the companies' directors were not informed about security breaches. -http://www.vnunet.com/News/1138317

Root Server Traffic Largely Unnecessary (28 January 2003)

After analyzing the traffic received in one day by one of the Internet's 13 root servers, researchers at the San Diego Supercomputer Center (SDSC) concluded that the vast majority of the queries were unnecessary and could have been managed by other parts of the network. Approximately 70% of the queries were for duplicate sites which could be handled by ISP caching; other traffic included requests for non-existent domains and for numerical addresses. The SDSC is developing software tools to help address this problem. -http://news.bbc.co.uk/2/hi/technology/2699071.stm

Social Security Number Misuse Prevention Act (27 January 2003)

A bill introduced in the US Senate would prohibit the use of social security numbers on such readily available forms of identification as drivers' licenses and checks and other public records available on the Internet. The goal is to make it harder for identity thieves to obtain the numbers. -http://www.fcw.com/fcw/articles/2003/0127/web-ident-01-27-03.asp

The Office of Management and Budget (OBM) Circular A-130 establishes minimum security standards for federally owned and operated computer systems; it also requires periodic security awareness training for employees involved with those systems. Though Circular A-130 applies to contractor employees as well, it does not apply to computer systems that are owned and operated by contractors. -http://www.fcw.com/fcw/articles/2003/0127/pol-carl-01-27-03.asp[Editor's Note (Ranum): That's silly. If it's got access to your network, it's just as critical to your security as your own machine. ]